8.8

CVE-2021-41805

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HashicorpConsul SwEditionenterprise Version >= 1.7.0 < 1.8.17
HashicorpConsul SwEditionenterprise Version >= 1.9.0 < 1.9.11
HashicorpConsul SwEditionenterprise Version >= 1.10.0 < 1.10.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 34.79% 0.982
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.hashicorp.com/blog/category/consul
Vendor Advisory
Product
https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
Vendor Advisory
https://security.netapp.com/advisory/ntap-20211229-0007/
Third Party Advisory